Companies have been struggling to comply with a growing mountain of laws and regulations over the past 10-15 years and GDPR is just the latest of many.
But, the European Union’s General Data Protection Regulation (GDPR) could be the regulation that buries your organization in an avalanche of compliance.
At the beginning, most companies tried to cope with rules using simple DOC or XLS files. They were working in siloes, handing over checklists and not knowing what their other colleagues were doing. This procedure was obviously prone to error. They didn’t have a single point of truth and could not be sure that everything was done in time; there was no transparency about who did what, when and how. Documentation was incomplete, it was not audit-proof and may have been just plain wrong.
So how do organizations stay on top of a mountain of rules and regulations, including GDPR? Many organizations have implemented governance, risk and compliance(GRC) management solutions that can be used to establish a complete and efficient internal control system. The best systems cover all laws and regulations in a central repository, making it easy to add additional regulations and helping them to adopt regulatory changes easily.
But, transparency regarding compliance risks and controls is not enough. Controls should be tested regularly and documentation about the results must be made available to external auditors, in order to easily prove compliance. Workflow with clear tasks and responsibilities is helpful to keep overview. If risks, controls and test cases are combined with business process analysis (BPA) and embedded into process steps, GRC management can also help to improve performance and align all measures with the corporate strategy.
If you don’t have an effective GRC system in place, you ought to hurry up. There’s not much time left before May 25, 2018, when the new GDPR rules will become effective. (See previous posts.)
If you already have a GRC solution in place, congratulations! You are already well setup, but this doesn’t mean that you can lean back. The new law is a little bit more challenging than it looks at first sight. First, it is required that you establish a dedicated Data Protection Officer (DPO) who is responsible to ensure GDPR compliance.
Maybe this way you can stay on top of the mountain of regulation, rather than risk being buried in the avalanche.